Embodiments of the present invention are directed to systems, apparatuses, and methods for controlling access to network services and connected devices by requiring proof of authorization to use such systems, devices and services, and specifically, to a method and associated system and apparatus for authenticating a person desiring to access a network and its associated services and devices using a combination of device data and biometric data.
Restricting access to a network, a device, or services connected to a network is a common way of implementing a security function to prevent unauthorized use of the network or improper access to sensitive data stored within the network. The restriction or control of user access is often implemented in whole or in part by a user authentication process. In this regard, a number of authentication methods for identifying a user and authorizing a user's access to network systems and services have been developed: for example, the use of a username and password to login to a computer network, the use of a fingerprint detector to authorize access to a networked computer, or the use of an electronically-readable identification badge and access gates to authorize access to a building or area.
Some authentication or authorization systems require a degree of user involvement as part of the process. The amount of user involvement may vary between systems, from being relatively minor and unobtrusive, to being significant and placing an undesired burden on the user. For example, a username and password login requires the user to remember their username and password and to enter that data into an input device. Similarly, the use of a badge requires a user to remember to carry their badge and to proceed through a particular area or to present the badge to an access control device. Other access control systems may require a user to answer a question, or to provide some other type of information in order to authenticate themselves.
However, while effective, such systems have a number of shortcomings. These include their relative cost, complexity, level of security and availability. For example, in systems where the user needs to remember a username and password, the user may choose a relatively weak (and hence guessable) password, or if using a sufficiently strong password, may write the password down nearby to the login point, and thus potentially compromise security. Further, a relatively strong password may be more difficult for a user to remember (or may require regular changing), thus reducing its value since a password or other access control method that is difficult for a user to apply has a negative impact on the user's ability to access the system. Systems that use a badge to authorize a user can require a relatively expensive installed infrastructure (for example badge readers and gates that limit access) and are not suitable where such infrastructure cannot be installed, for example for a user logging on to a corporate network from home.
The need for user involvement in some authentication or authorization processes that are part of an access control system may also be a burden, resulting in the authentication operations being performed less frequently or with less care than would be desired for optimal security. For example, users typically log onto their computer at the start of a work session, but are not required to log on again unless the system is left unattended for a sufficient period of time. As a result, a user leaving their desk for a couple of minutes typically leaves their system unattended and insecure, during which period of time a security breach may occur.
What is desired are a system, apparatus, and method for controlling access to a network and to associated network services and network connected devices by authorizing or authenticating a user in a manner that overcomes the disadvantages of present approaches to controlling access to networks and network connected resources. It is further desired that the system, apparatus, or method for controlling access to a network and to associated network services and network connected devices be implemented in a manner that requires minimal user input, operates to reauthorize the user on a regular or ongoing basis, is capable of de-authorizing the user if they leave the proximity of the secured system, and requires minimal infrastructure or cost to implement, while maintaining a sufficiently high degree of network security. Embodiments of the present invention address these and other disadvantages of the present approaches to controlling access to networks, network services, and network connected devices both individually and collectively.